Slashdot Mirror
No More Unrestricted Internet At Work
Schlemphfer writes: "You can forget about using private email or surfing the web while at work if these bozos have their way. And judging by the Reuters article, it looks like they might. Basically what they're doing is trying to scare senior management into thinking that allowing employees unrestricted use of the net will cripple a company with viruses and lawsuits."
At work we have somewhat of an answer to viruses. 20 file extensions including exe, pif, scr, com, bat, vbs, vbe, and others are filtered at the server into a "Quarantine" folder and reports are generated every few hours on it and piped to a line printer for our review. We deal with them from there by either giving them to the employee, or by responding to who sent it with an automagically generated email.
Additionally, all mail is screened against the server's pattern file, which tries to update itself hourly. If sometimes passes through mail, it'll be found if on a server, and the client software, which updates its pattern file upon logon, will find things as they're opened.
All with unnoticable performance difference. We haven't had a virus infection in a LONG time now.
Worms like Nimda are a bit more annoying, but we take things like this seriously, and by doing so, avoided Nimda and others completely.
=====
As for net access, we do run reports on the proxy logs occasionally. Employees understand that they have little privacy in the workplace and that if we see them goofing off (except for after hours or at lunch), they do get an email regarding it. But we haven't had to do that in years. They more or less behave, because we trust them and they trust us.
-----
Whilst it may be a bit extreme to say "criple" ther is some justification there...
I am the system administrator at a college here in Australia and if we did not filter/limit the kids access to the internet then all the bandwidth on our (meager) internet connection would be soaked up by kids wasting time on MUDs, IRC, HotMail, Chat, Online games, Warez sites, and other such activities, and the staff and students who actually try to do some work (research/E-mail etc) would have a hell of a time trying to get anything done.
So whilst I agree that private use of the 'net should be allowed, there is limits that need to be put on WHAT private use is allowed. Not only to free up the bandwidth for legitimate uses, but also free up computers for thos that wish to work rather than just waste their time...
Having said that, there is indeed a need for increased security awareness in many companies. Buying more gear isn't really that cost effective though. Educating your people and letting them know the expected behaviour is better. This includes increasing the Cluedness of manglement so that they are aware of what their people are doing. If someone feels a need to surf pr0n all day instead of doing their job, your problem is not giving them access to pr0n. Why not find out why people are doing it instead of working?
If you've got people using decent passwords that they don't put on PostIt notes on their monitor; if your network techs are using ssh instead of telnet to configure routers; if every two bit middle manager stops demanding to be an exception to all the rules; and if you still have security issues, then maybe you can start looking at more drastic solutions. Security must be holistic, and more often than not it's more a business process issue, not a purely technical one.
Lastly, I've been at sites with really tight access policies that were easy enough to bypass for someone in the know. If there's any outbound access permitted, there's a way to bypass the security. So go ahead and implement this stuff. If I really want to get past it, I probably can.
But then, I've got better things to do with my time than surf pr0n at work, so when I say I need ssh access outbound, I actually do. Don't stop me doing my job by implementing some half-assed pseudo-security solution. Better yet, hire me to do it right! ;-)
Just because you're paranoid doesn't mean they're NOT after you.
Bollocks.
Yes, you are being paid for your time by the company. But it is the companies job to make sure that you are happy, unstressed and relaxed while giving your time - otherwise they are a slave driver, tying you to your desk for every last bit of that 8+ hours. And if they are a slave driver, the slaves are unlikely to be productive, produce good work, or hang around long.
For employees to be productive, they must be happy, to make employees happy they must be relaxed, to relax tech employees you have to give them some leeway in what they do online.
The golden rule is - as long as the job gets done, in the time you said you would do it, then the employer shouldn't care when exactly in that time period you did it.
NZ Electronics Enthusiasts: Check out my Trade Me Listings
So the internet lowers productivity by 25% just by connecting to it. Anyone with any brains at all would pull the plug.
Maybe you don't remember time wasting activities in the pre-internet era. Things like: wandering the plant on epic donut quests, endless banter with your office mates, reading thick publications like Byte and PC-Week cover-to-cover, writing video game emulators, calling all of the car stereo stores in the Yellow Pages looking for the best deal on an in-dash cassette player, and countless others.
I'm guessing that Internet usage has cut into the above activities more than into real work. In my case, I think the amount of off-topic time I spend at work has remained roughly constant over the last 15 years. (And it's been more than balanced by work I've done while at home).
Why would a company try blocking posts to slashdot, but not CNN? I don't know but one that does is Morgan Stanley. Once they tried blocking the entire slashdot site, however after many complaints, they unblocked it, except for any URL's containing comments.pl. So now you can't post, or sort or thread articles before you read them.
:)
.exe file before they send it.
Unfortunately there's too many proxy servers out on the web for them to block, and any anyone using slashdot knows how to find them
They also try blocking the usual porn sites via Websense, but don't block google cache. Also they try block file extensions from email, so you have to ask people to rename that
Just don't ask how much money they've spent trying to half-heartedly implement all this blocking, it would run a small country. However I guess it keeps a skyscraper of IT people in work, and that can't be bad.
E-mail went out to all Lucent today -- starting ASAP all access to webmail accounts (HotMail, Netscape, Yahoo, etc.) will be blocked and is against policy. It seems they don't like the threat of viruses getting thru around the normal e-mail checks.
However, they have expressly allowed limited personal use of company e-mail.
VPN sucks.
Learning HOW to think is more important than learning WHAT to think.
Nice try.
But syphilis is a bacterial infection, not a viral one.
Comment removed based on user account deletion
Then you *certainly* will not be using slashdot to gain details of what is happening in the Real World!
Hint - remember yesterday's bull about M$ banning VNC on XP systems? Had Timothy bothered to check the post before accepting it, he'd have realised it was 100% wrong and spared us. but then slashdot wouldn't be slashdot if the "editors" bothered to check facts.
and they expect us to PAY for this?
*sigh*
From the article:
The biggest developments are around email prevention, experts say. Elaborate content filtering software, which can run upwards of $30,000 to install, can block all but the tamest incoming emails, and most attachments, said Trend Micro's Genes.
...
But instituting these new security measures can be a costly and labor-intensive investment, experts say, likely discouraging firms with meager IT budgets from upgrading beyond the status quo. "It's a question of resources," said a spokeswoman at UK-based Sophos Anti-Virus. "If you have one or two guys implementing IT at your organization, it's not going to make much sense."
What a crock... I am a network administrator (and basically the ONLY IT employee) for a small company of about 50 people and using some procmail scripts on our FreeBSD mail server, have been able to accomplish this with probably about 3 hours total of set up time. For those interested, here's a URL to a FREE solution to blocking e-mail attachments based on extensions, filenames, and even content (it can scan for Office document macros). Procmail Security
Since I've been there, we've had absolutely ZERO e-mail based viruses/worms that penetrated the desktop through our mail server (One did get through but that was through an executive's AOL account...)
So far, most employees have been very cooperative towards the policy and are grateful that they don't have to be so worried when they read about e-mail viruses going around because the server automatically mangles or quarantines viruses that match the ruleset we implemented.
Sleep is just a poor substitute for caffeine, anyway. -Bob Lehmann